Mariano Cano
a864f0134d
Fix key version when SHA512WithRSA is used.
...
There was a typo creating RSA keys with SHA256 digests instead of
SHA512
2021-08-16 14:47:38 -07:00
Mariano Cano
c4d0c8a18e
Fix credentials file parameter on awskms
2021-06-11 21:40:04 -07:00
Herman Slatman
877fc9ae8c
Add tests for CreateDecrypter
2021-05-07 15:32:07 +02:00
Herman Slatman
68d5f6d0d2
Merge branch 'master' into hs/scep
2021-04-29 22:18:00 +02:00
Mariano Cano
180b5c3e3c
Fix typo.
2021-04-21 16:20:53 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments
2021-03-21 16:42:41 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep
2021-02-26 00:41:33 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority
2021-02-26 00:32:21 +01:00
Max
8ead310d24
Merge pull request #485 from smallstep/max/actions
...
Convert to github actions
2021-02-22 22:23:48 -08:00
Mariano Cano
163eb7029c
Refactor cloudkms signer to return an error on the constructor.
2021-02-19 15:36:55 -08:00
Mariano Cano
cae08bff80
Validate that the signer can get the public key.
2021-02-19 11:28:35 -08:00
max furman
f88f58440f
add //nolint for new 1.16 deprecation warnings
...
- dsa
- pem.DecryptPEMBlock
2021-02-18 20:14:20 -08:00
Mariano Cano
2ba4e37530
Add URI support to configure yubikeys.
2021-02-16 15:02:20 -08:00
Mariano Cano
4c562160fc
Fix typo.
2021-02-16 14:52:55 -08:00
Mariano Cano
4bec2b04ec
Add support for retired key management slots on yubikey.
...
Fixes #461
2021-02-16 14:47:34 -08:00
Mariano Cano
a947779795
Add uri support initializing cloudkms.
2021-02-16 13:11:47 -08:00
Mariano Cano
4902e45729
Add URI support initializing an awskms.
2021-02-16 13:10:53 -08:00
Mariano Cano
1ddddb6bc7
Permit linting and testing without CGO support.
...
Use CGO for testing and building in travis.
Fixes #471
2021-02-12 13:18:30 -08:00
Mariano Cano
d03c088ab7
Add test cases for uris with only the schema.
2021-02-11 19:14:35 -08:00
Mariano Cano
f6cbd9dc88
Fix typos.
2021-02-11 19:14:15 -08:00
Mariano Cano
ebaeae9008
Avoid closing pkcs#11 context twice.
2021-02-08 19:16:57 -08:00
Mariano Cano
f425a81d36
Enforce the use of id and label when generating objects.
2021-02-04 12:53:08 -08:00
Mariano Cano
dd6a43ad13
Add fake implementation of pkcs11 key manager without cgo.
...
This allows other binaries to import pkcs11 directly even if they
are compiled without cgo.
2021-02-04 12:32:30 -08:00
Mariano Cano
3fdab93ab8
Add missing file.
2021-02-01 15:27:53 -08:00
Mariano Cano
a8260a3289
Add missing test.
2021-02-01 14:25:49 -08:00
Mariano Cano
41eff69fb3
Fix linting errors.
2021-02-01 14:22:53 -08:00
Mariano Cano
128d07f148
Use new GetEncoded method.
2021-02-01 14:17:39 -08:00
Mariano Cano
b28db61d5d
Add missing close causing panic with softhsm2.
2021-02-01 14:16:55 -08:00
Mariano Cano
a74fc7a0b2
Remove unnecessary methods and add missing tests.
2021-02-01 14:16:08 -08:00
Mariano Cano
50e9018a44
Fix missing return.
2021-01-28 19:53:25 -08:00
Mariano Cano
84a3c8c984
Rename nitrokey initialization to opensc.
2021-01-28 19:51:17 -08:00
Mariano Cano
b7afc92758
Complete tests.
2021-01-28 19:48:08 -08:00
Mariano Cano
3a479cb0e8
Add support for nitrokey.
2021-01-28 19:47:44 -08:00
Mariano Cano
e78d45a060
Add benchmarks for signing operations.
2021-01-28 19:46:48 -08:00
Mariano Cano
673675fa89
Convert pkcs11 tests to use tags.
2021-01-28 14:43:22 -08:00
Mariano Cano
6c113542c8
Fix ecdsa signature verification test.
2021-01-28 11:38:21 -08:00
Mariano Cano
35bf9b787e
Implement ecdsa.VerifyASN1 to be compatible with go < 1.15
2021-01-27 20:35:42 -08:00
Mariano Cano
d9da150a5f
Fix test.
2021-01-27 20:23:45 -08:00
Mariano Cano
294f84b8d4
Add initial set of unit tests for pkcs11 kms.
2021-01-27 20:17:14 -08:00
Mariano Cano
a6c784d5dd
Add missing pkcs11 package.
2021-01-26 20:15:57 -08:00
Mariano Cano
8dca652bc7
Add support for PKCS #11 KMS.
...
The implementation works with YubiHSM2. Unit tests are still pending.
Fixes #301
2021-01-26 20:03:53 -08:00
Mariano Cano
ccc403cf89
Fix comments, and return an error instead of fatal.
2020-11-18 17:50:21 -08:00
Anton Lundin
3e6137110b
Add support for using ssh-agent as a KMS
...
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.
This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.
That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.
This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.
Signed-off-by: Anton Lundin <glance@acc.umu.se>
2020-11-04 09:06:23 +01:00
Mariano Cano
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
2020-10-29 13:10:03 -07:00
Mariano Cano
f100b2d0e3
Make the YubiKey management key configurable.
...
With this change the default management key is not required as the
user is able to set its own.
Fixes #323
2020-09-17 16:07:32 -07:00
Pierre Laden
692f7692a2
fix #2 indentation
2020-09-16 22:26:53 +02:00
Pierre Laden
290d5ee979
fix gofmt complain
2020-09-16 22:15:42 +02:00
Pierre Laden
179e793f1a
- provide PINpolicy always to piv-go to avoid trying to use attestation cert, which we might not have
...
- bump piv-go version to 1.6.0
2020-09-16 21:59:48 +02:00
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
2020-08-14 15:33:50 -07:00